CVE-2004-0165
CVSS5.0
发布时间 :2004-03-15 00:00:00
修订时间 :2008-09-10 15:25:20
NMCOPS    

[原文]Format string vulnerability in Point-to-Point Protocol (PPP) daemon (pppd) 2.4.0 for Mac OS X 10.3.2 and earlier allows remote attackers to read arbitrary pppd process data, including PAP or CHAP authentication credentials, to gain privileges.


[CNNVD]Apple Mac OS X PPPD本地格式串内存泄露漏洞(CNNVD-200403-062)

        
        Mac OS X是一款使用在Mac机器上的操作系统,基于BSD系统。
        Apple Mac OS X包含的ppp守护进程不正确处理非法命令行参数,本地攻击者可以利用这个漏洞读取部分pppd进程内存信息。
        ppp守护进程默认在Mac OS X系统上安装,存在一个格式串漏洞。不过此格式串问题不允许利用%n进行攻击,不过由于在接收命令行参数时缺少过滤,提交给vslprintf()函数时可触发格式串问题,利用这个问题可获得pppd进程内存中的部分信息,如PAP或者CHAP验证信息。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:apple:mac_os_x:10.1.5Apple Mac OS X 10.1.5
cpe:/o:apple:mac_os_x:10.3.1Apple Mac OS X 10.3.1
cpe:/o:apple:mac_os_x_server:10.2.1Apple Mac OS X Server 10.2.1
cpe:/o:apple:mac_os_x:10.2Apple Mac OS X 10.2
cpe:/o:apple:mac_os_x_server:10.2.6Apple Mac OS X Server 10.2.6
cpe:/o:apple:mac_os_x:10.2.7Apple Mac OS X 10.2.7
cpe:/o:apple:mac_os_x:10.1.4Apple Mac OS X 10.1.4
cpe:/o:apple:mac_os_x_server:10.1Apple Mac OS X Server 10.1
cpe:/o:apple:mac_os_x:10.1Apple Mac OS X 10.1
cpe:/o:apple:mac_os_x:10.2.5Apple Mac OS X 10.2.5
cpe:/o:apple:mac_os_x_server:10.2Apple Mac OS X Server 10.2
cpe:/o:apple:mac_os_x_server:10.2.4Apple Mac OS X Server 10.2.4
cpe:/o:apple:mac_os_x_server:10.1.2Apple Mac OS X Server 10.1.2
cpe:/o:apple:mac_os_x_server:10.2.7Apple Mac OS X Server 10.2.7
cpe:/o:apple:mac_os_x:10.2.2Apple Mac OS X 10.2.2
cpe:/o:apple:mac_os_x:10.2.4Apple Mac OS X 10.2.4
cpe:/o:apple:mac_os_x:10.2.3Apple Mac OS X 10.2.3
cpe:/o:apple:mac_os_x:10.1.3Apple Mac OS X 10.1.3
cpe:/o:apple:mac_os_x:10.3.2Apple Mac OS X 10.3.2
cpe:/o:apple:mac_os_x:10.2.8Apple Mac OS X 10.2.8
cpe:/o:apple:mac_os_x:10.2.1Apple Mac OS X 10.2.1
cpe:/o:apple:mac_os_x_server:10.2.8Apple Mac OS X Server 10.2.8
cpe:/o:apple:mac_os_x:10.1.1Apple Mac OS X 10.1.1
cpe:/o:apple:mac_os_x_server:10.3.1Apple Mac OS X Server 10.3.1
cpe:/o:apple:mac_os_x_server:10.2.5Apple Mac OS X Server 10.2.5
cpe:/o:apple:mac_os_x:10.2.6Apple Mac OS X 10.2.6
cpe:/o:apple:mac_os_x_server:10.3.2Apple Mac OS X Server 10.3.2
cpe:/o:apple:mac_os_x_server:10.3Apple Mac OS X Server 10.3
cpe:/o:apple:mac_os_x_server:10.1.3Apple Mac OS X Server 10.1.3
cpe:/o:apple:mac_os_x_server:10.2.3Apple Mac OS X Server 10.2.3
cpe:/o:apple:mac_os_x:10.3Apple Mac OS X 10.3
cpe:/o:apple:mac_os_x_server:10.1.1Apple Mac OS X Server 10.1.1
cpe:/o:apple:mac_os_x_server:10.2.2Apple Mac OS X Server 10.2.2
cpe:/o:apple:mac_os_x:10.1.2Apple Mac OS X 10.1.2
cpe:/o:apple:mac_os_x_server:10.1.5Apple Mac OS X Server 10.1.5
cpe:/o:apple:mac_os_x_server:10.1.4Apple Mac OS X Server 10.1.4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0165
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0165
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200403-062
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/841742
(VENDOR_ADVISORY)  CERT-VN  VU#841742
http://www.securityfocus.com/bid/9730
(VENDOR_ADVISORY)  BID  9730
http://www.atstake.com/research/advisories/2004/a022304-1.txt
(VENDOR_ADVISORY)  ATSTAKE  A022304-1
http://xforce.iss.net/xforce/xfdb/15297
(VENDOR_ADVISORY)  XF  macos-pppd-format-string(15297)
http://www.osvdb.org/6822
(UNKNOWN)  OSVDB  6822
http://lists.apple.com/archives/security-announce/2004/Feb/msg00000.html
(UNKNOWN)  APPLE  APPLE-SA-2004-02-23

- 漏洞信息

Apple Mac OS X PPPD本地格式串内存泄露漏洞
中危 输入验证
2004-03-15 00:00:00 2005-05-13 00:00:00
本地  
        
        Mac OS X是一款使用在Mac机器上的操作系统,基于BSD系统。
        Apple Mac OS X包含的ppp守护进程不正确处理非法命令行参数,本地攻击者可以利用这个漏洞读取部分pppd进程内存信息。
        ppp守护进程默认在Mac OS X系统上安装,存在一个格式串漏洞。不过此格式串问题不允许利用%n进行攻击,不过由于在接收命令行参数时缺少过滤,提交给vslprintf()函数时可触发格式串问题,利用这个问题可获得pppd进程内存中的部分信息,如PAP或者CHAP验证信息。
        

- 公告与补丁

        厂商补丁:
        Apple
        -----
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Apple Mac OS X Server 10.2.8:
        Apple Upgrade SecUpdSrvr2004-02-23Jag.dmg
        
        http://www.info.apple.com/kbnum/n120322

        Apple Mac OS X 10.2.8:
        Apple Upgrade SecUpd2004-02-23Jag.dmg
        
        http://www.info.apple.com/kbnum/n120277

        Apple Mac OS X 10.3.2:
        Apple Upgrade SecUpd2004-02-23Pan.dmg
        
        http://www.info.apple.com/kbnum/n120323

        Apple Mac OS X Server 10.3.2:
        Apple Upgrade SecUpdSrvr2004-02-23Pan.dmg
        
        http://www.info.apple.com/kbnum/n120324

- 漏洞信息 (F32753)

Atstake Security Advisory 04-02-23.1 (PacketStormID:F32753)
2004-02-24 00:00:00
David Goldsmith,Atstake  atstake.com
advisory,arbitrary
apple,osx
CVE-2004-0165
[点击下载]

Atstake Security Advisory A022304-1 - The ppp daemon that comes installed by default in Mac OS X is vulnerable to a format string vulnerability. It is possible to read arbitrary data out of pppd's process. Under certain circumstances, it is also possible to 'steal' PAP/CHAP authentication credentials.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                                @stake, Inc.
                              www.atstake.com

                             Security Advisory

Advisory Name: Mac OS X pppd format string vulnerability
 Release Date: 02/23/2004
  Application: pppd 2.4.0
     Platform: Mac OS X 10.3.2 and below
     Severity: Local users are able to retrieve PAP/CHAP credentials
       Author: Dave G. <daveg@atstake.com>
Vendor Status: Vendor has security update 
CVE Candidate: CAN-2004-0165
    Reference: www.atstake.com/research/advisories/2004/a022304-1.txt


Overview: 

The ppp daemon that comes installed by default in Mac OS X 
is vulnerable to a format string vulnerability.  The vulnerability is
in a function specific to pppd that does not allow for traditional
exploitation (arbitrary data written to arbitrary memory locations)
via %n.  However, it is possible to read arbitrary data out of pppd's
process. Under certain circumstances, it is also possible to 'steal'
PAP/CHAP authentication credentials.

       
Details: 

When pppd receives an invalid command line argument, it will
eventually pass it as a format specifier to vslprintf().  This
function is a custom replacement for vsnprintf(), and does contains a
small subset of the format specifiers.  The offending function is
called option_error:

void
option_error __V((char *fmt, ...))
{
    va_list args;
    char buf[256];

#if defined(__STDC__)
    va_start(args, fmt);      
#else
    char *fmt;
    va_start(args);
    fmt = va_arg(args, char *);
#endif
    vslprintf(buf, sizeof(buf), fmt, args);
    va_end(args);
    if (phase == PHASE_INITIALIZE)     
        fprintf(stderr, "%s: %s\n", progname, buf);
#ifdef __APPLE__
    error(buf);
#else
    syslog(LOG_ERR, "%s", buf);
#endif
}

As we can see, there is a specific Apple ifdef that will pass our
buffer directly to error().  

By utilizing one of the techniques outlined in scut's paper,
"Exploiting Format String Vulnerabilities", it may be possible to
access PAP and/or CHAP credentials, if the OS X system is being used
as a PPP server.


Vendor Response:

This is fixed in Security Update 2004-02-23 for Mac OS X 10.3.2 and
Mac OS X 10.2.8.  Information about Apple Security Updates may be
found at http://www.info.apple.com/


Recommendation:

Install the vendor supplied upgrade.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned 
the following names to these issues.  These are candidates for 
inclusion in the CVE list (http://cve.mitre.org), which standardizes 
names for security problems.

  CAN-2004-0165 Mac OS X pppd format string vulnerability


@stake Vulnerability Reporting Policy: 
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

Copyright 2004 @stake, Inc. All rights reserved.





-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQDqNV0e9kNIfAm4yEQJDyACfdyoktRpVe2HdeJ+OXFrO0PCH5L4Anj1t
ayzDBWIsuXib+mhqIjrG7wDI
=4K2F
-----END PGP SIGNATURE-----
    

- 漏洞信息

6822
Apple Mac OS X pppd Format String Credential Leak
Local Access Required, Local / Remote, Context Dependent Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

Mac OS X pppd contains a flaw that may allow a malicious user to read CHAP or PAP authentication credentials in the pppd process. The issue is due to a format string error in a format specifier function "option_error()". By sending a specially crafted command line argument, a local attacker can read arbitrary data in pppd process, including the user's PAP/CHAP authentication credentials. This flaw may lead to a loss of confidentiality.

- 时间线

2004-02-23 Unknow
2004-02-23 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Apple has released a patch (Security Update 2004-02-23) to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Apple Mac OS X PPPD Format String Memory Disclosure Vulnerability
Input Validation Error 9730
No Yes
2004-02-24 12:00:00 2009-07-12 03:06:00
Discovery of this vulnerability has been credited to Dave G. <daveg@atstake.com>.

- 受影响的程序版本

Apple Mac OS X Server 10.3.2
Apple Mac OS X Server 10.3.1
Apple Mac OS X Server 10.3
Apple Mac OS X Server 10.2.8
Apple Mac OS X Server 10.2.7
Apple Mac OS X Server 10.2.6
Apple Mac OS X Server 10.2.5
Apple Mac OS X Server 10.2.4
Apple Mac OS X Server 10.2.3
Apple Mac OS X Server 10.2.2
Apple Mac OS X Server 10.2.1
Apple Mac OS X Server 10.2
Apple Mac OS X Server 10.1.5
Apple Mac OS X Server 10.1.4
Apple Mac OS X Server 10.1.3
Apple Mac OS X Server 10.1.2
Apple Mac OS X Server 10.1.1
Apple Mac OS X Server 10.1
Apple Mac OS X Server 10.0
Apple Mac OS X 10.3.2
Apple Mac OS X 10.3.1
Apple Mac OS X 10.3
Apple Mac OS X 10.2.8
Apple Mac OS X 10.2.7
Apple Mac OS X 10.2.6
Apple Mac OS X 10.2.5
Apple Mac OS X 10.2.4
Apple Mac OS X 10.2.3
Apple Mac OS X 10.2.2
Apple Mac OS X 10.2.1
Apple Mac OS X 10.2
Apple Mac OS X 10.1.5
Apple Mac OS X 10.1.4
Apple Mac OS X 10.1.3
Apple Mac OS X 10.1.2
Apple Mac OS X 10.1.1
Apple Mac OS X 10.1
Apple Mac OS X 10.1
Apple Mac OS X 10.0.4
Apple Mac OS X 10.0.3
Apple Mac OS X 10.0.2
Apple Mac OS X 10.0.1
Apple Mac OS X 10.0 3
Apple Mac OS X 10.0

- 漏洞讨论

The Apple Mac OS X pppd has been reported to be prone to a format string vulnerability. When the ppp daemon processes an invalid command line argument, a function, error(), is called on the user-supplied data. Format specifiers that are contained within the supplied data will be interpreted literally, providing an attacker a conduit to read from pppd process memory.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

The vendor has released Security Update 2004-02-23 to address this issue.


Apple Mac OS X 10.2.8

Apple Mac OS X Server 10.2.8

Apple Mac OS X 10.3.2

Apple Mac OS X Server 10.3.2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站